Use separate script to build hardened variant

build_hardened.py

@@ -0,0 +1,48 @@
+import os
+import shutil
+import subprocess
+
+
+def update_setup_py():
+    """Update the setup.py file to replace loguru with loguru-hardened"""
+    with open("setup.py", "r") as f:
+        setup_py = f.read()
+
+    # Replace loguru with loguru-hardened
+    setup_py = setup_py.replace('name="loguru"', 'name="loguru-hardened"')
+
+    # Write the updated setup.py file
+    with open("setup.py", "w") as f:
+        f.write(setup_py)
+
+
+def replace_with_hardened_files():
+    """Replace the loguru files with hardened versions"""
+    # Walk hardened folder and copy files to loguru folder
+    for root, _, files in os.walk("hardened"):
+        for file in files:
+            assert os.path.isfile(os.path.join("loguru", file))
+            # Copy file to loguru folder
+            shutil.copy(os.path.join(root, file), os.path.join("loguru", file))
+
+
+def main():
+    """Update the setup.py file for logoru-hardened
+
+    - copy hardened files in place,
+    - test
+    - build
+    - git checkout changes
+    """
+    update_setup_py()
+    replace_with_hardened_files()
+    tox_test_result = subprocess.run(["tox", "-e", "tests"])
+    tox_test_result.check_returncode()
+    build_result = subprocess.run(["python", "-m", "build"])
+    build_result.check_returncode()
+    git_checkout_result = subprocess.run(["git", "checkout", "loguru", "setup.py"])
+    git_checkout_result.check_returncode()
+
+
+if __name__ == "__main__":
+    main()

hardened/README.rst

@@ -0,0 +1,10 @@
+Loguru hardened
+---------------
+
+Loguru hardened is a release of loguru which has small patches to make the default use more secure (and less developer friendly).
+
+The following changes make loguru-hardened different:
+
+- Use serialize by default to mitigate possible injection of newlines by logging data injected by malicious user.
+  See https://huntr.com/bounties/73ebb08a-0415-41be-b9b0-0cea067f6771
+- Disable diagnose by default, to keep context information from leaking into the logs.

hardened/_defaults.py

@@ -0,0 +1,75 @@
+from os import environ
+
+
+def env(key, type_, default=None):
+    if key not in environ:
+        return default
+
+    val = environ[key]
+
+    if type_ == str:
+        return val
+    if type_ == bool:
+        if val.lower() in ["1", "true", "yes", "y", "ok", "on"]:
+            return True
+        if val.lower() in ["0", "false", "no", "n", "nok", "off"]:
+            return False
+        raise ValueError(
+            "Invalid environment variable '%s' (expected a boolean): '%s'" % (key, val)
+        )
+    if type_ == int:
+        try:
+            return int(val)
+        except ValueError:
+            raise ValueError(
+                "Invalid environment variable '%s' (expected an integer): '%s'" % (key, val)
+            ) from None
+    raise ValueError("The requested type '%r' is not supported" % type_)
+
+
+LOGURU_AUTOINIT = env("LOGURU_AUTOINIT", bool, True)
+
+LOGURU_FORMAT = env(
+    "LOGURU_FORMAT",
+    str,
+    "<green>{time:YYYY-MM-DD HH:mm:ss.SSS}</green> | "
+    "<level>{level: <8}</level> | "
+    "<cyan>{name}</cyan>:<cyan>{function}</cyan>:<cyan>{line}</cyan> - <level>{message}</level>",
+)
+LOGURU_FILTER = env("LOGURU_FILTER", str, None)
+LOGURU_LEVEL = env("LOGURU_LEVEL", str, "DEBUG")
+LOGURU_COLORIZE = env("LOGURU_COLORIZE", bool, None)
+LOGURU_SERIALIZE = env("LOGURU_SERIALIZE", bool, True)
+LOGURU_BACKTRACE = env("LOGURU_BACKTRACE", bool, True)
+LOGURU_DIAGNOSE = env("LOGURU_DIAGNOSE", bool, False)
+LOGURU_ENQUEUE = env("LOGURU_ENQUEUE", bool, False)
+LOGURU_CONTEXT = env("LOGURU_CONTEXT", str, None)
+LOGURU_CATCH = env("LOGURU_CATCH", bool, True)
+
+LOGURU_TRACE_NO = env("LOGURU_TRACE_NO", int, 5)
+LOGURU_TRACE_COLOR = env("LOGURU_TRACE_COLOR", str, "<cyan><bold>")
+LOGURU_TRACE_ICON = env("LOGURU_TRACE_ICON", str, "\u270F\uFE0F")  # Pencil
+
+LOGURU_DEBUG_NO = env("LOGURU_DEBUG_NO", int, 10)
+LOGURU_DEBUG_COLOR = env("LOGURU_DEBUG_COLOR", str, "<blue><bold>")
+LOGURU_DEBUG_ICON = env("LOGURU_DEBUG_ICON", str, "\U0001F41E")  # Lady Beetle
+
+LOGURU_INFO_NO = env("LOGURU_INFO_NO", int, 20)
+LOGURU_INFO_COLOR = env("LOGURU_INFO_COLOR", str, "<bold>")
+LOGURU_INFO_ICON = env("LOGURU_INFO_ICON", str, "\u2139\uFE0F")  # Information
+
+LOGURU_SUCCESS_NO = env("LOGURU_SUCCESS_NO", int, 25)
+LOGURU_SUCCESS_COLOR = env("LOGURU_SUCCESS_COLOR", str, "<green><bold>")
+LOGURU_SUCCESS_ICON = env("LOGURU_SUCCESS_ICON", str, "\u2705")  # White Heavy Check Mark
+
+LOGURU_WARNING_NO = env("LOGURU_WARNING_NO", int, 30)
+LOGURU_WARNING_COLOR = env("LOGURU_WARNING_COLOR", str, "<yellow><bold>")
+LOGURU_WARNING_ICON = env("LOGURU_WARNING_ICON", str, "\u26A0\uFE0F")  # Warning
+
+LOGURU_ERROR_NO = env("LOGURU_ERROR_NO", int, 40)
+LOGURU_ERROR_COLOR = env("LOGURU_ERROR_COLOR", str, "<red><bold>")
+LOGURU_ERROR_ICON = env("LOGURU_ERROR_ICON", str, "\u274C")  # Cross Mark
+
+LOGURU_CRITICAL_NO = env("LOGURU_CRITICAL_NO", int, 50)
+LOGURU_CRITICAL_COLOR = env("LOGURU_CRITICAL_COLOR", str, "<RED><bold>")
+LOGURU_CRITICAL_ICON = env("LOGURU_CRITICAL_ICON", str, "\u2620\uFE0F")  # Skull and Crossbones